Find a Question:

Researcher steals credentials computer via USB Ethernet Adapter

Sep

7

2016

Security Researcher Rob Fuller has described in a blog post how he steals the credentials of a logged-in user through a custom USB Ethernet adapter, while the lock screen is displayed. This should work on Windows and OS X computers.

Fuller, also known as ‘Mubix’, explains that he could use to attack both USB Armory as a LAN Turtle. On this a soc provided USB devices can be installed different software, for example, for purposes such as penetration testing. By using the so-called Responder module makes the USB drive itself as a gateway, dns server and wpad server for the computer to which it is connected. So the researcher could determine the credentials of a user who is logged on to a system that displays a lock screen. Physical access to the device is required for this.

The researcher explains that the attack works because the device immediately after the connection is installed via plug-and-play. Then the computer of the victim sends the local credentials to the USB drive for installation, because according to Fuller devices on the local network generally be trusted. With special software to intercept data were then. The computer selects the appropriate Ethernet connection automatically based on speed and newness, as Fuller explains further. In this way, the researcher was able to get the data in the hands within thirteen seconds.

The credentials are not directly see in clear text but are hashed with NTLMv2 hash. This needs to be cracked at a later moment. Fuller writes that he has tested his method on computers running Windows 98 SE, 2000 SP4, XP SP3, 7 SP1 and Windows 10. Also on the Mavericks- and El Capitan versions of OS X, he succeeded, but he does not know or lay on its configuration. Fuller says he does not know yet whether his attack also works on Linux, but promises to create a new blog post if that’s the case appears to be.